Latest FISMA Scores ‘Mixed at Best’; DHS Fails for 3rd Year
Govt. security experts characterized as “disappointing” agencies’ rankings on the annual Federal Information Security Management Act (FISMA) report, released Thurs. Govt. at large got a D+ on network security, with an F to the Dept. of Homeland Security (DHS) for the 3rd year running and State, Defense, Agriculture, Energy, Health & Human Services, Transportation and Veterans Affairs also getting failing grades on the House Govt. Reform Committee scorecard.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Some agencies’ scores dropped. The Dept. of Justice slid from a B- in 2004 to a D in 2005; Interior drew an F on the heels of 2004’s C+, the committee said. Committee Chmn. Davis (R-Va.) called the scores “unacceptably low.” Guarding govt. networks is “vital to our national security, continuity of operations and our economy,” he said. High-tech information channels linking agencies must be able to move data to people “at the right place and right time” and those data must move “seamlessly and securely,” Davis said.
Cyberattacks can start anywhere, anytime and agencies are prime targets for terrorists, ID thieves and hackers, Davis said. But “agencies on the front lines in the war on terror” faltered, he said. Experts from the Govt. Accountability Office (GAO) and Office of Management & Budget as well as CIOs from DHS, Defense, Labor and Social Security Administration testified at the hearings.
Agencies’ progress is “mixed at best,” GAO Information Security Dir. Gregory Wilshusen said: “Agencies have made progress in several areas but have slipped in others,” he said. More systems are meeting key performance measures, but the percentage of agency systems reviewed declined and the number of employees and contractors receiving security awareness training decreased, he said. Only 13 agencies reported that inventories of major systems were substantially complete in 2005. Contingency plans for security breaches were also sparse, Wilshusen said.
Incident reporting to the U.S. Computer Emergency Readiness Team (US-CERT) is sporadic and incomplete, the report said, but OMB E-Govt. Administrator Karen Evans said she’s working to overhaul the reporting process. After a string of questions about DHS slackness, a frustrated Rep. Clay (D-Mo.) accused Evans of “defending the incompetence” of the agency. “It is possible for large agencies with aging systems and vast amounts of sensitive data to comply with FISMA,” Ranking Member Waxman (D-Cal.) said: “The A+ grade of the Social Security Administration proves it.”
CIO Scott Charbo defended DHS, saying it has come “a long way in just 3 short years.” Agencywide security policies are codified and its systems security architecture is integrated into DHS’s enterprise architecture, he said. DHS regularly updates security policies and systems security architecture, enforcing compliance through mandatory management tools in use agencywide, Charbo said.
DHS’s FISMA inventory lists about 700 systems; not long ago, the number of systems fully accredited by the agency’s internal remediation project was only 26%, Charbo said. By the end of Feb., over 60% of the systems were accredited and DHS is on track to make the goal of full remediation by year’s end, he said. DHS started an infrastructure transformation program, OneNet, to bring legacy IT infrastructures under a single program, Charbo said. Despite DHS’s lousy FISMA grade, he voiced confidence its data security program is “moving in the right direction.” Lawmakers queried whether the agency is moving quickly enough to head off attacks.
FISMA’s main failure is that it creates and gauges paper-based processes, not technical processes, INPUT said. The yearly scoring has mutated into a “paperwork drill” among agencies, “consuming an inordinate amount of resources for reporting progress while putting in place very little in the way of actual security improvements,” INPUT Vp-Information Security Bruce Brody said. The system-by-system and site-by-site approach to reporting security issues fails to heed the importance of backbone infrastructure security improvements, he said.
Wilshusen challenged that claim, saying FISMA reporting is only part of a large framework intended to assure a secure infrastructure for federal operations. “If certain agencies are reducing FISMA to a paperwork exercise, they're not going to enjoy the benefits by implementing them,” he said. That system requires development of risk-based policies, best practices, employee training and other activities, he said. Agency brass must be accountable for failures, but managing govt. security is a “complex and challenging job,” Wilshusen said. “Many computing environments have highly complex, distributive information systems and networks,” he said: “Because of that interconnectedness, vulnerabilities on one server can affect an entire network.”
Departments truly seeking to be more secure, regardless of FISMA credit, need 5 objectives, INPUT said: (1) Know the network, including any and all interconnections and wireless connections. (2) Know the traffic on the network. (3) Lose passwords and move to 2-factor authentication. (4) Deploy host-based intrusion prevention systems. (5) Do vulnerability and configuration management. From the commercial information security industry’s perspective, federal floundering offers opportunities for business, INPUT said. The private sector can aid agencies with FISMA compliance and in getting secure, Brody said.